33 Actions

Is there an accepted standard for passwords?@vincebowdren Actually preventing a brute force attack is not at all up to the user. A user should make a password that's not easy to guess, but the system should be preventing brute force attacks (eg, flagging or blocking accounts that have high numbers of failed attempts, having an escalating delay when responding after failed password attempts, using multi-factor authentication, etc). Likewise, the system should be storing the password in a way that's not easy to crack if the database is compromised -- again, not a user issue.

Is it really a bad thing to place an ad TV in front of the stairs?Context is important: if you are giving information useful to people entering the premises (such as who is in which conference room in a hotel/conference center) it would be good to put the display in a place easily visible -- and given your layout, suspending from the ceiling or mounting to a free-standing floor display may be more appropriate. If it's background advertising, the weather, or company newsletter-type content, then putting in a place people are likely to see it while standing around waiting (eg, visible from reception seating or line-up area) makes more sense.

Feb25

comment

Should i make users login to my Mobile App?There are other ways to do analytic tracking (though that's an entirely different topic) that don't explicitly require user login, but still can fairly accurately tell you number of unique users (think: originating IP address, user agent/handset identifiers, etc).

Is h:mm:ss time format clear without a key?It's worth asking, as it's probably the client didn't think of this when writing specs. In many cases, as you get a longer duration, precision becomes less important. When the duration is a couple minutes, seconds are significant, but become irrelevant if you're talking about several hours. A common way to do this is to display the "fuzzy" time (eg 1h 23m), but on hover, display the full detail (1h 23m 52.320s). How fuzzy it should be (10 hours 51 minutes vs about 11 hours vs half a day) is another question entirely.

Manual / Auto Refresh and users' selectionI'd elaborate on your "stock trading" example: you should consider updating individual field data in place, rather than approaching it a "refresh the html <table> element" problem. The downside of this from UX is that if the decision to perform the bulk action is highly dependent on the value of a field that can change at any time, the user may not be able to keep up and perform actions they wouldn't necessarily want to perform otherwise. It's hard to give general advice here since it's so specific to the type of application, domain, and specific user expectations.

How many atempts should you give a user before invalidating his password?There's another strategy I like to take an increasingly long time to validate each password, so for example, after 5 attempts it might take 10 seconds to come back with the response, and after 10 attempts it could take 40 seconds, and so on. This is one way to help defeat both manual and (short term) automated brute force attempts, purely because of the time involved. Actually locking the account completely is a pretty draconian move; aside from poor usability, it also introduces potential for denial-of-service attacks by deliberate bad password attempts.